[aur-dev] [PATCH] Geshi AUR implementation

Lukas Fleischer archlinux at cryptocrack.de
Thu Sep 30 14:13:27 EDT 2010


On Wed, Sep 29, 2010 at 03:35:24PM +0200, Manuel Tortosa wrote:
> > This introduces a remote file inclusion vulnerability allowing an
> > attacker to read arbitrary files since "$pkgbuild" is not validated
> > before passing it to file_get_contents().
> > 
> > Don't apply this patch until everything is fixed, please.
> Thanks for your suggestions, i added them all to CCR ;)

Btw, this is still not fixed! Have a look at [1].

You should consider using basename(), realpath() and/or regexp to check
the PKGBUILD path. Also check [2], [3].

[1]
http://mailman.archlinux.org/pipermail/aur-dev/2010-September/001268.html
[2] http://www.madirish.net/?article=427
[3] http://www.acunetix.com/websitesecurity/php-security-3.htm


More information about the aur-dev mailing list